Asp.net 网站防攻击安全设置
2013-11-06 11:35
796 查看
针对已解密的_ViewStat参数漏洞整改建议:在<system.web>下添加
<machineKey validation="3DES"/>
禁用脚本调试
<compilation debug="true">
跨站点请求伪造,如果要避免 CSRF 攻击,每个请求都应该包含唯一标识,它是攻击者所无法猜测的参数。
protected override void OnInit(EventArgs e)
{
base.OnInit(e);
if (System.Web.HttpContext.Current.Session != null)
{
ViewStateUserKey = Session.SessionID;
}
}
防止伪造用户身份
public partial class AdminLogin : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if(!Page.IsPostBack)
Session.Clear();
}
}
防SQL注入
public static bool FilterChar(string oldstr)
{
bool flag = true;
string[] filterstr = {"and ","exec ","insert ","select ","delete ","update ","count(","from ","drop ","asc(","char(","or ","chr(","mid("," master",
"truncate ","declare ","sitename","net user","xp_cmdshell "," /add","exec master.dbo.xp_cmdshell","net localgroup administrators",
"%",";","/'","/"","-","@",",","//","!","(",")","[","]","{","}","|"};
for (int i = 0; i < filterstr.Length; i++)
{
if (oldstr.Contains(filterstr[i]))
{
flag = false;
break;
}
}
return flag;
}
<machineKey validation="3DES"/>
禁用脚本调试
<compilation debug="true">
跨站点请求伪造,如果要避免 CSRF 攻击,每个请求都应该包含唯一标识,它是攻击者所无法猜测的参数。
protected override void OnInit(EventArgs e)
{
base.OnInit(e);
if (System.Web.HttpContext.Current.Session != null)
{
ViewStateUserKey = Session.SessionID;
}
}
防止伪造用户身份
public partial class AdminLogin : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if(!Page.IsPostBack)
Session.Clear();
}
}
防SQL注入
public static bool FilterChar(string oldstr)
{
bool flag = true;
string[] filterstr = {"and ","exec ","insert ","select ","delete ","update ","count(","from ","drop ","asc(","char(","or ","chr(","mid("," master",
"truncate ","declare ","sitename","net user","xp_cmdshell "," /add","exec master.dbo.xp_cmdshell","net localgroup administrators",
"%",";","/'","/"","-","@",",","//","!","(",")","[","]","{","}","|"};
for (int i = 0; i < filterstr.Length; i++)
{
if (oldstr.Contains(filterstr[i]))
{
flag = false;
break;
}
}
return flag;
}
相关文章推荐
- asp.net 网站防攻击 安全
- asp.net core下给网站做安全设置的方法详解
- ASP.NET温故而知新学习系列之网站安全技术—预防脚本攻击(二)
- 项目开发中的一些注意事项以及技巧总结 基于Repository模式设计项目架构—你可以参考的项目架构设计 Asp.Net Core中使用RSA加密 EF Core中的多对多映射如何实现? asp.net core下的如何给网站做安全设置 获取服务端https证书 Js异常捕获
- [分享]ASP.net一个空间多个网站的设置
- asp.net网站中,全站统一设置title,keywords,description的实现方案
- web安全设置(含IIS,php,ASP.NET)与目录权限设置
- asp.net网站在手机端访问设置全屏
- asp.net网站配置工具,点“安全”选项卡出错
- 网站安全编程 网站要如何写才安全 .net程序员的误区 asp.net安全编程
- 正确设置asp.net网站的404错误页面
- ASP.NET网站中设置404自定义错误页面
- asp.net网站安全常见问题与防范
- asp.net 通过web.config 文件设置网站的mime类型
- 写给那些ASP.NET程序员:网站中的安全问题
- 一个百思不得其解的“ASP.NET 2.0网站运行提示: HTTP 错误 401.3 - 未经授权:访问由于 ACL 对所请求资源的设置被拒绝。 ”错误
- 设置asp.net的安全认证密码限制
- 星外ASP.Net的安全设置相关说明
- ASP.NET设置网站图标